b' U.S. DEPARTMENT OF EDUCATION\nOFFICE OF THE INSPECTOR GENERAL\n\n\n\n\n  REVIEW OF YEAR 2000 RELATED RISK\n TO PROGRAMS ADMINISTERED UNDER\nTITLE IV OF THE HIGHER EDUCATION ACT\n\n         Control Number S11-80014\n                January 1999\n\n\n MANAGEMENT INFORMATION REPORT\n\n\n\n\n        Regional Inspector General for Audit\n           Washington DC Field Office\n\x0c          REVIEW OF YEAR 2000 RELATED RISK\n          TO PROGRAMS ADMINISTERED UNDER\n        TITLE IV OF THE HIGHER EDUCATION ACT\n\n\n\n                           TABLE OF CONTENTS\n\nExecutive Summary................................................................. 1\n\nBackground ............................................................................. 2\n\nED Has Made Significant Progress\nin Preparing SFA Systems for Y2K Compliance..................... 4\n\nY2K Risk Assessment ............................................................. 5\n\nScope and Methodology ......................................................... 8\n\nExhibit 1 .................................................................................. 11\n\nAppendix \xe2\x80\xa6 \xe2\x80\xa6 \xe2\x80\xa6 \xe2\x80\xa6 \xe2\x80\xa6 \xe2\x80\xa6 \xe2\x80\xa6 \xe2\x80\xa6 \xe2\x80\xa6 \xe2\x80\xa6 \xe2\x80\xa6 \xe2\x80\xa6 \xe2\x80\xa6 \xe2\x80\xa6 \xe2\x80\xa6 \xe2\x80\xa6 \xe2\x80\xa6 \xe2\x80\xa6 \xe2\x80\xa6 \xe2\x80\xa6 .. 14\n\x0cED OIG Management Information Report S11-80014\nReview of Year 2000 Related Risk To Programs Administered under Title IV of the Higher Education Act\n\n\n\n                                        Executive Summary\nWe have assessed the risk of the U.S. Department of Education\xe2\x80\x99s (ED\xe2\x80\x99s) systems and hardware\nnot being able to process Student Financial Assistance (SFA) in the year 2000 (Y2K). Our\nassessment addressed the state of readiness of ED\xe2\x80\x99s 13 mission-critical systems involved in the\ndelivery of SFA as reported on by ED\xe2\x80\x99s Independent Verification and Validation (IV&V)\ncontractors.\n\nED has Made Significant Progress\n\nBased on the progress made in recent months, the risk of ED\xe2\x80\x99s systems and hardware not being\nready for Y2K has been significantly diminished. Presently, 10 of the 13 mission-critical systems\ninstrumental in the delivery of SFA have been reported by ED as renovated, validated and\nimplemented. IV&V supports this conclusion with the exception of some minor issues which\nshould not impact Y2K implementation. We concur with IV&V that all systems should, by ED\xe2\x80\x99s\ndefinition, be implemented by March 31, 1999.\n\nFour Crosscutting Areas of Risk Remain\n\nIt is important to note that ED has not included end-to-end testing, trading partner testing or\ncontingency planning as prerequisites for implementation. These three areas of risk, along with\nplanned system enhancements will warrant continued monitoring.\n\xe2\x80\xa2 End-to-End Testing \xe2\x80\x93 ED\xe2\x80\x99s end-to-end test plan appears complete and is in the process of\n     being implemented, but is not expected to be completed until Summer 1999.\n\xe2\x80\xa2 External Trading Partners \xe2\x80\x93 ED has greatly increased the SFA community\xe2\x80\x99s Y2K awareness,\n     and has invited all institutions to test their data exchanges during \xe2\x80\x9cwindows\xe2\x80\x9d of opportunity.\n     Despite this effort, ED should anticipate that some trading partners may not achieve Y2K\n     compliance. The number and nature of trading partner problems will determine the impact.\n\xe2\x80\xa2 Contingency Planning - ED expects to have its contingency plans established by March 31,\n     1999 and tested by July 1, 1999. The diminishing time available to address any problems\n     arising from the end-to-end or trading partner testing magnifies the importance of a thorough\n     contingency planning process.\n\xe2\x80\xa2 New Systems/Functionality - ED has several development initiatives and systems\n     enhancements planned for 1999 that must be monitored to ensure that they do not have a\n     negative impact on its Y2K readiness.\n\nED Is on Track to Achieve Y2K Readiness\n\nEach of the areas of risk identified above has been discussed with ED management, and is being\naddressed through the Department\xe2\x80\x99s Y2K Steering Committee. In our opinion, ED is presently\non track to achieve Y2K readiness for its SFA-related mission-critical systems prior to January 1,\n2000, contingent upon the Department\xe2\x80\x99s ability to adequately address the areas of risk mentioned\nabove. Our conclusion is based on the current status of ED\xe2\x80\x99s Y2K effort, the resources available\nand the rate of progress demonstrated in recent months, as confirmed by the IV&V process.\n\n\n                                                       1\n\x0cED OIG Management Information Report S11-80014\nReview of Year 2000 Related Risk To Programs Administered under Title IV of the Higher Education Act\n\n\n\n                                                              Background\nHEA Requirements                  This risk assessment is the first of two Office of Inspector General\nConcerning Y2K                    reports concerning the Year 2000 issue required by the Higher\n                                  Education Act (HEA) of 1965, as amended. The 1998\n                                  amendments to the HEA require the OIG to perform and publish a\n                                  risk assessment of the systems and hardware under the\n                                  Department\xe2\x80\x99s management. Additionally, the amendments require\n                                  OIG to report on the results of our review of the Department\xe2\x80\x99s\n                                  Year 2000 compliance for processing, delivery, and administration\n                                  of grant, loan, and work assistance programs by June 30, 1999.\n\n                                  The HEA requires the Secretary of Education to \xe2\x80\x9ctake such actions\n                                  as necessary to ensure that all internal and external systems,\n                                  hardware, and data exchange infrastructure administered by the\n                                  Department that are necessary for the processing, delivery, and\n                                  administration of the grant, loan and work assistance are Year-\n                                  2000 compliant by March 31, 1999, such that there will be no\n                                  business interruption after December 31, 1999.\xe2\x80\x9d This deadline for\n                                  the systems supporting higher education programs is consistent\n                                  with the Office of Management and Budget\xe2\x80\x99s requirement that\n                                  Federal Agencies complete their Y2K compliance for all Federal\n                                  systems by March 31, 1999.\n\n                                  The Y2K issue arises from the inability of computer systems to\n                                  store or process dates beyond December 31, 1999. Computer\n                                  systems that use a two-digit date field (i.e., \xe2\x80\x9c99\xe2\x80\x9d for the year 1999)\n                                  may not be able to recognize \xe2\x80\x9c00\xe2\x80\x9d as the year 2000. Without\n                                  renovation, these systems may fail or produce erroneous results.\n                                  The Department is currently taking steps to mitigate the risk of the\n                                  Year 2000 (Y2K) issue impacting its computer systems and\n                                  programs.\n\nOversight Entities                The OIG, OMB and the General Accounting Office (GAO) have\nHave Been Critical of             been critical of the Department\xe2\x80\x99s past efforts to prepare for the\nPast Y2K Efforts                  Year 2000. In our March 1998 audit report The Status of the U.S.\n                                  Department of Education\xe2\x80\x99s Readiness for Year 2000,\xe2\x80\x9d we reported\n                                  that the Department was behind schedule in establishing its Year\n                                  2000 readiness and needed to accelerate its efforts. We reported\n                                  that ED needed to:\n\n\n\n\n                                                       2\n\x0cED OIG Management Information Report S11-80014\nReview of Year 2000 Related Risk To Programs Administered under Title IV of the Higher Education Act\n\n                                  \xe2\x80\xa2    Complete its systems inventory;\n                                  \xe2\x80\xa2    Develop an accurate and supported cost estimate;\n                                  \xe2\x80\xa2    Complete a Year 2000 management plan;\n                                  \xe2\x80\xa2    Improve coordination and communication with data providers;\n                                  \xe2\x80\xa2    Enhance its oversight of contractor Year 2000 compliance; and\n                                  \xe2\x80\xa2    Initiate contingency plans for mission-critical systems.\n\n                                  Although ED has made significant progress since our March 1998\n                                  report, the diminishing time remaining to address the problem\n                                  remains a concern. In its September 17, 1998, testimony Year\n                                  2000 Computing Crisis: Significant Risks Remain to Department\n                                  of Education\'s Student Financial Aid Systems before the\n                                  Subcommittee on Oversight and Investigations, House Committee\n                                  on Education and the Workforce, GAO reported that Y2K failures\n                                  could severely disrupt the Department\xe2\x80\x99s student financial aid\n                                  delivery process, potentially delaying disbursements and application\n                                  processing. GAO stated that the Department was accelerating its\n                                  Year 2000 program, but with the slow start, it is still playing catch\n                                  up. GAO also expressed concern that because of system\n                                  interdependencies, repercussions from Year 2000-related problems\n                                  could be felt throughout the student financial aid community.\n\n                                  Until recently, OMB classified the Department in its listing of Tier\nOMB Recently                      One agencies not evidencing adequate process in preparing for the\nUpgraded Education                Year 2000. In December 1998, OMB upgraded the Department to\nto Tier Two                       Tier Two based on ED\xe2\x80\x99s most recent progress report. Tier Two\n                                  includes agencies where OMB sees evidence of progress, but also\n                                  has concerns. OMB concerns include 1) the Pell system renovation\n                                  schedule slipping to December 1998 and 2) the Department\xe2\x80\x99s\n                                  numerous data exchanges which may be at risk and will require\n                                  additional oversight and end-to-end testing.\n\n                                  Success of the Department\xe2\x80\x99s Year 2000 process is critical. Failure\nFailure of the Y2K                to adequately prepare for the Year 2000 could result in significant\nEffort Could                      disruptions in the delivery of student aid, such as the inability to\nSignificantly Disrupt             originate new student loans, pay guaranty agency and lender claims,\nStudent Aid                       and administer education grants. These negative outcomes can be\n                                  avoided by the Department\xe2\x80\x99s implementation of Year 2000\n                                  compliant systems and by the development of strong contingency\n                                  plans to ensure uninterrupted service.\n\n\n\n\n                                                       3\n\x0cED OIG Management Information Report S11-80014\nReview of Year 2000 Related Risk To Programs Administered under Title IV of the Higher Education Act\n\n\n\n                                       ED Has Made Significant Progress In\n                                    Preparing SFA Systems For Y2K Compliance\n                                  The Department has made significant progress in renovating its\n                                  systems and expects to be in compliance with OMB\xe2\x80\x99s and HEA\xe2\x80\x99s\n                                  requirement to implement compliant SFA related systems by March\n                                  31, 1999. In fact, the Department currently reports that ten of\n                                  thirteen mission-critical systems impacting student financial aid\n                                  delivery have been renovated, validated and implemented. These\n                                  systems include:\n\n                                  1. Direct Loan Central Database (DLCD)\n                                  2. Direct Loan Origination System (DLOS)\n                                  3. Direct Loan Servicing System (DLSS)\n                                  4. Postsecondary Education Participants System (PEPS)\n                                  5. Education\xe2\x80\x99s Central Automated Processing System (EDCAPS)\n                                  6. Campus Based System (CBS)\n                                  7. National Student Loan Data System (NSLDS)\n                                  8. Pell Grant Recipients Financial Management System (PELL)\n                                  9. Title IV Wide Area Network (TIVWAN)\n                                  10. Multiple Data Entry System(MDE)\n\n                                  Our review of IV&V documentation supports the assertion that\n                                  nine of these systems completed renovation and validation except\n                                  for minor issues that remain outstanding for EDCAPS, DLSS,\n                                  DLOS, CBS and TIVWAN that should not affect implementation.\n                                  While the Department reports the PELL system as implemented,\n                                  we found that the IV&V contractor has not yet completed its\n                                  independent validation of the final test documents. However, the\n                                  IV&V contractor informed OIG that they are nearing completion of\n                                  their work and are not aware of any issues affecting validation and\n                                  implementation.\n\n                                  The Department reports that the remaining three systems will\n                                  complete the implementation phase before the March 1999\n                                  deadline. Our review of IV&V documentation disclosed no\n                                  indications that the Department would miss their target dates.\n                                  These systems include:\n\n                                  1) Central Processing System (CPS): January 1999\n                                  2) Education\xe2\x80\x99s Local Area Network (EDNET): January 1999\n                                  3) Federal Family Education Loan Program (FFEL): March 1999\n\n\n\n\n                                                       4\n\x0cED OIG Management Information Report S11-80014\nReview of Year 2000 Related Risk To Programs Administered under Title IV of the Higher Education Act\n\n                                  While systems reported as implemented have been independently\n                                  validated and put into production, they have not met all the criteria\n                                  GAO recommends be met before systems are implemented as Year\n                                  2000 compliant. In its two guides, Year 2000 Computer Crisis: An\n                                  Assessment Guide [GAO/AIMD-10.1.14] and Year 2000 Computer\n                                  Crisis: A Testing Guide [GAO/AIMD-10.1.21], GAO recommends\n                                  completion of end-to-end testing and implementation of\n                                  contingency plans before systems are reported as implemented. ED\n                                  has not yet completed these tasks, although both are currently in\n                                  process and on schedule to meet the OMB required dates.\n\n\n                                                        Y2K Risk Assessment\n                                  Overall, we have concluded that the risk of ED\xe2\x80\x99s systems and\n                                  hardware not being ready for Y2K has been significantly diminished\n                                  based on the work achieved in the past few months. Our\n                                  assessment of Y2K risk of Departmental systems critical to student\n                                  financial aid delivery is presented in Exhibit 1. We assessed the\n                                  level of risk outstanding for each of the individual systems based on\n                                  a review of the following factors:\n\n                                  \xe2\x80\xa2    Status of Commercial Off the Shelf (COTS) Software Products;\n                                  \xe2\x80\xa2    Status of the Network and Operating Environment;\n                                  \xe2\x80\xa2    Status of External Interfaces;\n                                  \xe2\x80\xa2    Sufficiency of Resources Available;\n                                  \xe2\x80\xa2    Remaining Time to Complete Implementation;\n                                  \xe2\x80\xa2    Status of the Validation Process; and\n                                  \xe2\x80\xa2    Status of the Implementation Process.\n\n                                  We describe our methodology and source of supporting data in the\n                                  Scope and Methodology section of this report. Appendix A\n                                  provides a description of the thirteen systems included in our\n                                  assessment. The Summary Risk column provides our overall\n                                  evaluation of the level of risk associated with the individual\n                                  systems. The following descriptions provide a guide for\n                                  interpreting the level of risk:\n\n                                  BLUE:             The system has been implemented, IV&V has been\n                                                    completed, and there are no outstanding IV&V\n                                                    issues. Additionally, end-to-end testing and\n                                                    contingency planning involving this system has been\n                                                    completed.\n\n                                  GREEN:            The system has been implemented, IV&V has been\n\n                                                       5\n\x0cED OIG Management Information Report S11-80014\nReview of Year 2000 Related Risk To Programs Administered under Title IV of the Higher Education Act\n\n                                                    completed, and there are no outstanding IV&V\n                                                    issues.\n\n                                  YELLOW:          The system requires monitoring because\n                                                   implementation is not yet complete, IV&V has not\n                                                   been completed, and/or minor issues need to be\n                                                   resolved. The system is expected to complete\n                                                   implementation by March 31, 1999.\n\n                                  RED:              The system requires monitoring because major\n                                                    issues indicate that the system may not be\n                                                    implemented by March 31, 1999.\n\n                                  There were no systems meeting our summary risk criteria for\n                                  BLUE and RED. The following four systems had a summary risk\n                                  of GREEN: DLCD, NSLDS, PEPS and MDE. The remaining nine\n                                  systems had a summary risk rating of YELLOW.\n\n                                  In addition to assessing risks at the system level, we identified four\n                                  crosscutting risk areas that may impact the Department\xe2\x80\x99s ability to\n                                  continue processing student financial aid without disruptions.\n\n                                  \xe2\x80\xa2 ED Needs to Complete End-to-End Testing: End-to-end\n                                    testing between the ED\xe2\x80\x99s systems and its trading partners is\n                                    critical to ensure that interrelated systems will collectively\n                                    operate. The Department has developed an end-to-end testing\n                                    plan for its core business processes, shared it for comment\n                                    within the financial aid community and incorporated the\n                                    suggestions received into its final plan. Although testing is\n                                    underway, it is not expected to be completed until after the\n                                    March 31, 1999 deadline required by the HEA. In part, the\n                                    protracted testing process is necessary to accommodate some\n                                    large institutions and servicers that are not expected to be ready\n                                    for testing until Summer 1999. Based on our review, the end-\n                                    to-end testing plan developed by ED includes all critical data\n                                    exchanges. However, the diminishing time available to\n                                    complete all essential end-to-end testing and resolve any new\n                                    issues identified during the process poses additional risk.\n\n                                  \xe2\x80\xa2 External Trading Partners: Due in part to a significant\n                                    outreach effort from ED, awareness of the Y2K problem is\n                                    building among the many external parties participating in the\n                                    student financial aid programs, such as lenders, guaranty\n                                    agencies and schools. However, despite a concerted effort in\n                                    recent months to provide advice and disseminate information\n                                    about how to become Y2K compliant, the status of readiness of\n\n                                                       6\n\x0cED OIG Management Information Report S11-80014\nReview of Year 2000 Related Risk To Programs Administered under Title IV of the Higher Education Act\n\n                                       many members of the education community remains unknown.\n                                       ED\xe2\x80\x99s Y2K plans include scheduled time \xe2\x80\x9cwindows\xe2\x80\x9d from April\n                                       12, 1999 through October 1, 1999 when external trading\n                                       partners are invited to test the ability of their systems to\n                                       exchange data with ED systems. Even with this risk-mitigation\n                                       strategy, it is expected that some participating institutions will\n                                       not take advantage of the testing opportunity, and/or fail to\n                                       achieve timely compliance. Y2K failures at trading partners\n                                       could disrupt the student financial aid process, unless adequate\n                                       contingency plans are in place.\n\n                                  \xe2\x80\xa2 Contingency Plans Need to be Completed: The Department\n                                    needs to complete its ongoing contingency planning process to\n                                    ensure the continuity of the student financial aid process. ED\n                                    reports that its current effort is progressing in accordance with\n                                    its established timetable and OMB reported milestones. Sixteen\n                                    process teams with membership from across the Department,\n                                    including OIG representation, are developing contingency plans\n                                    for ED\xe2\x80\x99s core business processes. The planning process also\n                                    includes consultation and coordination with ED\xe2\x80\x99s business\n                                    partners. While the Department is presently a few weeks\n                                    behind schedule, the SFA Contingency Planning Coordinator\n                                    has expressed confidence that ED is still on target to have all\n                                    plans established prior to March 31, 1999 and tested before July\n                                    1, 1999. In addition to addressing potential Y2K failures of\n                                    Department managed systems, the contingency plans will need\n                                    to address failures affecting SFA that could occur at trading\n                                    partners or with the public infrastructure. ED has recognized\n                                    that further work will be required to test and update\n                                    contingency plans as needed until December 31, 1999. To\n                                    complete its planning effort, the Department will also need to\n                                    address funding to cover the costs of implementing contingency\n                                    options. These costs have not yet been estimated.\n\n                                  \xe2\x80\xa2 Continuous Monitoring for New Systems/Function: ED has\n                                    several development initiatives and system enhancements that\n                                    are ongoing or planned for 1999 that must be monitored to\n                                    ensure that they do not have a negative impact on its Y2K\n                                    readiness. They include: conversion of TIVWAN from dial-up\n                                    to an Internet-based infrastructure, ongoing consolidation of\n                                    critical systems at a single physical site and transition to the new\n                                    Pell system. Other activities that are targeted at maintenance or\n                                    resolving previously identified problems also present a risk.\n                                    Included in this category are remediation of network security\n                                    concerns, resolution of virus protection software issues, and\n                                    continued activity to improve EDCAPS functionality. The\n\n                                                       7\n\x0cED OIG Management Information Report S11-80014\nReview of Year 2000 Related Risk To Programs Administered under Title IV of the Higher Education Act\n\n                                       risks in this category are also impacted by organizational and\n                                       key personnel changes that have recently occurred or are\n                                       expected in the near future.\n\nED Is Committed to                We have discussed each of the four risk areas with ED\xe2\x80\x99s Y2K\nMitigate Risk                     Steering Committee. They have presented status reports of their\n                                  plans to address end-to-end testing, trading partner testing and\n                                  contingency planning. They have also committed to monitor\n                                  planned system enhancements to ensure that they do not have a\n                                  negative impact on the Department\xe2\x80\x99s Y2K readiness.\n\nED Is on Track for                We are of the opinion that ED is on track to achieve Y2K\nY2K Readiness                     compliance prior to January 1, 2000, contingent upon the\n                                  Department\xe2\x80\x99s ability to adequately address each of the four risk\n                                  areas presented above. We base this conclusion on our analysis of\n                                  the data presented in Exhibit 1 and the significant rate of progress\n                                  in recent months as confirmed by the IV&V process.\n\n\n\n\n                                                      Scope and Methodology\nReport Addresses                  We assessed the risk that the Department\xe2\x80\x99s systems and hardware\nRisk of Non-                      for the processing, delivery, and administration of the grant, loan\nCompliant Systems                 and work assistance programs would not be Year 2000 compliant\n                                  such that there will be no business interruption after December 31,\n                                  1999. The focus of our assessment is the Department\xe2\x80\x99s\n                                  implementation of its Year 2000 Project and the status of systems\n                                  supporting student financial aid programs. The scope of our risk\n                                  assessment did not include sufficient steps to independently verify\n                                  management\xe2\x80\x99s assertions concerning systems reported as\n                                  successfully implemented. Also, our report does not include an\n                                  assessment of the severity of disruptions that may occur should the\n                                  Department ultimately not be successful in implementing Year 2000\n                                  compliant systems.\n\n                                  We included thirteen of the Department\xe2\x80\x99s mission-critical systems\n                                  in our assessment. These systems include eleven SFA program\n                                  specific systems operated by the Office of Student Financial Aid.\n                                  The remaining two systems are the Department\xe2\x80\x99s financial system\nOIG Identified                    and its Departmentwide network. These two systems, managed by\nThirteen Critical                 the Office of Chief Financial and Chief Information Officer, also\nSystems Affecting                 provide critical functions for student financial aid. Appendix A\nSFA                               provides a listing of the thirteen systems and their related functions.\n\n\n                                                       8\n\x0cED OIG Management Information Report S11-80014\nReview of Year 2000 Related Risk To Programs Administered under Title IV of the Higher Education Act\n\n\n\n                                  Our assessment included identifying general risks affecting the\nMITRE Corporation\xe2\x80\x99s               entire student financial aid delivery process under the Department\xe2\x80\x99s\nY2K Scorecard                     control and specific risks affecting individual systems. In reviewing\n                                  the Y2K risks for individual systems, we used a modified version of\n                                  theY2K Scorecard approach developed by the MITRE\n                                  Corporation, and included on its website as public information.\n                                  MITRE developed the Y2K Scorecard as a management tool for\n                                  providing standard, periodic high level reporting on the risk that the\n                                  Year 2000 problems will impact the missions of an organization\xe2\x80\x99s\n                                  systems. The Scorecard identifies the level of risk for a number of\n                                  risk drivers and it gives a snapshot of the progress each system has\n                                  made in resolving its Y2K problems. The Scorecard uses four\n                                  color codes to indicate the level of risk. The color codes, from\n                                  lower to higher risk include: BLUE, GREEN, YELLOW and\n                                  RED.\n\n                                  Data supporting our assessments was primarily gathered from our\nReliance on the IV&V              monitoring of the Independent Verification and Validation (IV&V)\nProcess                           process used by the Department to ensure that systems were\n                                  properly renovated and validated. Intermetrics provides the IV&V\n                                  services for the eleven SFA program specific systems, while Booz-\n                                  Allen & Hamilton provides the IV&V for EDCAPS and the\n                                  EDNET. Based on our work, we determined that these contractors\n                                  were adequately performing the IV&V process and that we could\n                                  rely on their work in conducting our risk assessment. To gain this\n                                  reliance and gather risk data, we:\n\n                                  \xe2\x80\xa2 Gained an understanding of the IV&V services being provided\n                                    by reviewing the contracts and planning documentation and\n                                    discussing the process with Department and contractor\n                                    personnel;\n\n                                  \xe2\x80\xa2 Observed the IV&V process by attending meetings,\n                                    participating in IV&V test visits, and interviewing contractor\n                                    staff; and\n\n\n\n\n                                  \xe2\x80\xa2 Reviewed monthly status reports, system closure plans, draft\n                                    and final IV&V reports, and other appropriate documentation.\n\n                                  Additionally, we gathered risk information from other OIG\nOther OIG                         monitoring efforts including:\nProcedures\n\n                                                       9\n\x0cED OIG Management Information Report S11-80014\nReview of Year 2000 Related Risk To Programs Administered under Title IV of the Higher Education Act\n\n                                  \xe2\x80\xa2 Review of Monthly and Quarterly Status reports submitted by\n                                    the Department to OMB;\n\n                                  \xe2\x80\xa2 Review of Y2K Project documentation, including the\n                                    Department\xe2\x80\x99s Y2K management plan, draft end-to-end testing\n                                    plans, draft contingency plans, and documents disseminated to\n                                    trading partners as part of the Department\xe2\x80\x99s outreach efforts;\n\n                                  \xe2\x80\xa2 Review of Department and GAO testimony concerning the\n                                    Department\xe2\x80\x99s Y2K progress;\n\n                                  \xe2\x80\xa2 OIG attendance at weekly Y2K steering committee meetings\n                                    conducted by the Deputy Secretary;\n\n                                  \xe2\x80\xa2 OIG participation in Department contingency planning teams;\n\n                                  \xe2\x80\xa2 OIG audit reports including: The Status of the U.S.\n                                    Department of Education\xe2\x80\x99s Readiness for Year 2000 [Report\n                                    Number 11-70011, March 1998] and Funding the Year 2000\n                                    Conversion, A Report on ED\xe2\x80\x99s Y2K Cost Estimates [Report\n                                    Number 11-80011, December 1998];\n\n                                  \xe2\x80\xa2 OIG reviews of Y2K readiness at five guarantee agencies.\n\n\n\n\n                                                       10\n\x0c       ED OIG Management Information Report S11-80014\n       Review of Year 2000 Related Risk To Programs Administered under Title IV of the Higher Education Act\n\n\n                                                        Exhibit 1\n\n            Y2K Status Report for Systems Critical to OSFAP Program Delivery\n System    Principal Summary          COTS Network& External Resources                     Time       Validation Implemen-\n  Name      Office     Risk          Software Operating Interfaces                                                 tation\n                                              Environ-\n                                                ment\n\nEDCAPS       OCFO\n\n\n\nEDNET        OCIO\n\n\n\n CBS        OSFAP\n\n\n\n CPS        OSFAP\n\n\n\nDLCD        OSFAP\n\n\n\n DLSS       OSFAP\n\n\n\n DLOS       OSFAP\n\n\n\n FFEL       OSFAP\n\n\n\n MDE        OSFAP\n\n\n\nNSLDS       OSFAP\n\n\n\n PEPS       OSFAP\n\n\n\n PELL       OSFAP\n\n\n\nTIVWAN      OSFAP\n\n\n                                    BLUE                                    GREEN                               YELLOW\n\n\n                                                              11\n\x0cED OIG Management Information Report S11-80014\nReview of Year 2000 Related Risk To Programs Administered under Title IV of the Higher Education Act\n\n\n                                                 Exhibit 1\nSummary Risk: This is an indicator of the "highest" level (color) of risk associated with the\nsystem, determined by the highest severity Risk in the other columns. [Modified from \xe2\x80\x9cSolution\nRisk\xe2\x80\x9d in the MITRE scorecard by including Validation and Implementation risk directly in the risk\ndrivers summarized, rather than only including them indirectly through the Time risk driver.]\n\nCOTS Software: This indicator is based on risks associated with COTS application software is\nby the system. [Modified from MITRE model by only including applications software.]\n\xe2\x99\xa6 Blue: IV&V has reported that all COTS products were found compliant.\n\xe2\x99\xa6 Green: All COTS application software used by the system has been certified by the\n    manufacturer as compliant, and the POC responsible has documented this certification.\n\xe2\x99\xa6 Yellow: Some COTS products have not yet been certified by the manufacturer as compliant,\n    but certification or replacement with a compliant version is expected; or the certification\n    documentation has not been maintained by the Program Office.\n\xe2\x99\xa6 Red: At least one COTS manufacturer will not certify a product as compliant, and certification\n    or replacement with a compliant version isn\'t expected, requiring replacement.\n\nNetwork and Operating Environment: This is an indicator of risks related to the system\xe2\x80\x99s\nhardware, operating system(s), and networking components. [Modified from MITRE model by\nadding COTS hardware and systems software, and deleting infrastructure components outside the\ncontrol of the Department (i.e. power systems, water supply, public safety, airports, etc.).\n\xe2\x99\xa6 Blue: The system\xe2\x80\x99s infrastructure components have been validated by IV&V.\n\xe2\x99\xa6 Green: No specific issues related to hardware, operating system(s), and networking\n   components required for successful operation of system have been identified by IV&V.\n\xe2\x99\xa6 Yellow: IV&V has identified the system\'s Hardware, Operating Systems, or a Networking\n   components as requiring upgrade and/or additional testing.\n\xe2\x99\xa6 Red: At least one component was found to be non-compliant, and replacement with a\n   compliant version isn\'t expected, requiring replacement and possible system modification.\n\nExternal Interfaces: This is an indicator of risks related to data exchanges with the system\xe2\x80\x99s\ninternal and external trading partners.\n\xe2\x99\xa6 Blue: IV&V has validated all data exchanges with the system\xe2\x80\x99s internal and external trading\n    partners as having been sufficiently tested, including all end-to-end test cycles that include this\n    system.\n\xe2\x99\xa6 Green: IV&V has made no specific comments relating to the reliability of data exchanges, or\n    has recommended testing but identified specific known issues.\n\xe2\x99\xa6 Yellow: IV&V has identified specific issues relating to data exchanges that must be addressed\n    or tested.\n\xe2\x99\xa6 Red: There are date exchanges known to be non-compliant (or that cannot be tested) and\n    which therefor still must be renovated for the system to exchange data in a compliant manner.\n\n\n\n\n                                                       12\n\x0cED OIG Management Information Report S11-80014\nReview of Year 2000 Related Risk To Programs Administered under Title IV of the Higher Education Act\n\n\n                                                 Exhibit 1\nResources: This is an indicator of risks related to the Department having sufficient resources\n(staff, funds, management support) to complete the Y2K project successfully.\n\xe2\x99\xa6 Blue: There are no unresolved issues related to resource risk.\n\xe2\x99\xa6 Green: There are only minor, resolvable issues related resource risk.\n\xe2\x99\xa6 Yellow: There are significant issues requiring management attention to ensure adequate\n    resources are provided for timely and successful completion of the project.\n\xe2\x99\xa6 Red: Management has not committed to providing adequate resources, or there are external\n    limitations that would prevent adequate resources from being made available.\n\nTime: This is an indicator of risks related to the Department\'s ability to meet statutory or\nadministration imposed deadlines for achieving Y2K milestones.\n\xe2\x99\xa6 Blue: The renovated, or newly developed system has been successfully put into service prior\n   to the OMB deadline of 3/31/1999, and IV&V has issued its final report with no significant\n   issues identified regarding the system\'s compliance.\n\xe2\x99\xa6 Green: There are no known issues that should delay the renovated, or newly developed system\n   from being successfully put into service prior to the OMB deadline of 3/31/1999.\n\xe2\x99\xa6 Yellow: There is a risk that the system won\'t be implemented, or that IV&V may not be able\n   to issue its final report on the system, prior to 3/31/1999.\n\xe2\x99\xa6 Red: There are known issues to which would prevent one or more system components from\n   being put into service prior to the OMB deadline of 3/31/1999 if not given prompt and\n   continuous attention from Department management.\n\nValidation: This indicates risks related to the timeliness and completeness of the IV&V process.\n\xe2\x99\xa6 Blue: Final report issued with no additional testing of core system outstanding.\n\xe2\x99\xa6 Green: Report issued with minor testing or monitoring of some system components still\n   recommended; or, report to be issued by OMB validation deadline of 1/31/1999 and no\n   significant areas still untested.\n\xe2\x99\xa6 Yellow: Report is not due until after OMB deadline, but will be issued with adequate time for\n   system to be implemented with OMB deadline.\n\xe2\x99\xa6 Red: Final report may not be issued until after OMB 3/31/1999 deadline for implementation\n   allowing possibility that concerns identified by IV&V will have to addressed after that\n   deadline, or no independent IV&V contractor report is expected.\n\nImplementation: This is an indicator of risks related to the timeliness and completeness of the\nsystem implementation.\n\xe2\x99\xa6 Blue: System has met the GAO definition of implementation.\n\xe2\x99\xa6 Green: System has been reported as implemented, however, there may be steps remaining to\n    meet GAO definition of implementation such as end-to-end testing with data partners, or\n    completion and testing of contingency plans..\n\xe2\x99\xa6 Yellow: Planned implementation date is prior to OMB deadline, and there are no known\n    issues to prevent achieving that date.\n\xe2\x99\xa6 Red: Planned implementation date is after OMB deadline, or there are known issues which\n    may prevent achieving a planned date earlier than the OMB deadline.\n\n                                                       13\n\x0cED OIG Management Information Report S11-80014\nReview of Year 2000 Related Risk To Programs Administered under Title IV of the Higher Education Act\n\n\n                                                Appendix\nSystem Name              System Function\n\nED Central               The Grant Administration and Payment System (GAPS) module of EDCAPS\nAutomated                supports the grant planning, pre-award and award management of ED\nProcessing               programs. It interfaces with other program office systems, referred to as\nSystem                   feeder systems, to process their obligation and payment data. GAPS controls\n(EDCAPS)                 payments for ED\'s programs. GAPS services as a subsidiary the FMSS general\n                         ledger for program-related obligations, payments and expenditures. GAPS\n                         interfaces with FMSS at the summary level for purposes of funds control and\n                         general ledger postings. GAPS also supports the ED\'s regulatory development\n                         and clearance process and maintains its regulatory library. The Financial\n                         Management System Support (FMSS) module provides the functionality for\n                         general ledger and funds management. FMSS also includes receipt\n                         management; payments management for administrative funds; funds\n                         availability checks for FFEL; and cost management that includes performance\n                         measures. The Recipient System (RS) module serves as a recipient database\n                         for ED. Functionally, the RS serves to validate whether an entity is eligible to\n                         receive funds. It also maintains various indicative data regarding contacts,\n                         mailing addresses, bank account information, tax identification information,\n                         and whether an entity is currently under suspension or debarment.\n\nDept. of                 All of the hardware/software supports the EDNET by developing, maintaining\nEducation                and facilitating the implementation of a sound and integrated information\nInfrastructure           technology architecture, and promotes the effective and efficient design and\n(EDNET)                  operation of all major information resources management processes.\n\nCampus-Based             CBS supports all database maintenance and operations for the Federal Perkins\nSystem (CBS)             Loan (Perkins), Federal College Work-Study (FWS), Supplemental\n                         Educational Opportunity Grant (SEOG), Income Contingent Loan, National\n                         Science Scholars, and Default Reduction Assistance programs. In addition,\n                         stand-alone PC programs are created to enable ED and its customers to more\n                         efficiently administer and manage the various aspects of these programs.\n\n                         The primary mission of CBS is to gather data from 4300 institutions of\n                         postsecondary education who wish to participate in Perkins, FWS, and SEOG,\n                         to calculate each award according to legislatively-prescribed formulae, and to\n                         enter financial transaction information into ED\'s accounting system.\n\n\n\n\n                                                       14\n\x0cED OIG Management Information Report S11-80014\nReview of Year 2000 Related Risk To Programs Administered under Title IV of the Higher Education Act\n\nSystem Name              System Function\n\nCentral                  The primary role of the CPS is to process aid applications (FAFSAs) through\nProcessing               a series of data checks, formula calculations and verification checks with other\nSystem (CPS)             Federal agencies. CPS then prints the information and eligibility results on the\n                         Student Aid Report (SAR) for mailing to the student or institution. CPS\n                         interacts with numerous other Federal systems, thousands of institutions, and\n                         millions of students. In order to perform these functions, the CPS performs\n                         data matches with: 1) Federal agencies 2) NSLDS; and 3) a Hold File, which\n                         includes Federal Pell Grant Overpayments and other problem cases. CPS is\n                         also responsible for the development, testing, and distribution of the\n                         EDExpress Software, FAFSA Express Software, EDE Express Tutorial\n                         Software, and the Pell Payment Software.\n\nDirect Loan              These two systems jointly are responsible for the servicing of all 5.8 million\nServicing                Direct Loans and maintains the ledger accounts for all financial transactions\nSystem (DLSS)            associated with the program. The servicing system is built on top of Digital\nand Direct               VAX hardware and the Central Database Router System /Financial\nLoan Central             Accounting System is built on IBM mainframe hardware\nDatabase\n(DLCD)\n\nDirect Loan              This system supports the delivery of the Direct Loan Program by providing\nOrigination/             the front end processing of direct student loans with the participating\nConsolidation            institutions of higher education. The system enables the making of direct\nSystem                   student loans to eligible borrowers and then transmits the appropriate booked\n(DLOS)                   loan data to the Central Database and Loan Servicing systems. This system\n                         also provides for the consolidation of multiple student loans into a single\n                         direct consolidation loan.\n\nFederal                  FFEL services defaulted loans and grants, FFEL Program lenders, FFEL\nFamily                   Program State Agencies, and closed school loans.FFELP System is used to\nEducation                pay interest and special allowances to lenders and to pay default claims to\nLoan System              guarantors. The FFEL Debt Collection Subsystem, is used to support ED\n(FFEL)                   collection of defaulted loans from all Title IV loan programs and to collect\n                         Federal Pell Grant overpayments.\n\nMultiple Data            MDE provides all computer applications requisite to the image-based\nEntry                    processing of original FAFSAs, Renewal Applications, Student Aid Reports\nSystem                   (SARs), Correspondence, FAFSA Express and FAFSA/ Renewal WEB\n(MDE)                    signature documents, and return mail. MDE collects the data from ED\xe2\x80\x99s\n                         paper-based forms; performs document analysis and data entry services,\n                         transmits the collected data to the ED Central Processing System; and\n                         performs other related services.\n\n\n\n                                                       15\n\x0cED OIG Management Information Report S11-80014\nReview of Year 2000 Related Risk To Programs Administered under Title IV of the Higher Education Act\n\nSystem Name              System Function\n\nNational                 NSLDS prescreens Title IV aid applications to ensure no ineligible students\nStudent Loan             receive aid. NSLDS collects student enrollment data from schools and\nData System              distributes it to the guaranty agencies and the Direct Loan servicer for further\n(NSLDS)                  distribution, to ensure all loans are repaid in a timely manner. NSLDS\n                         calculates cohort default rates for schools, guaranty agencies and lenders to\n                         ensure that only quality institutions are participating in Title IV programs.\n                         NSLDS allows schools and guaranty agencies access to online functions that\n                         assist them in tracking students\xe2\x80\x99Title IV aid history. NSLDS supports policy\n                         and budget research conducted by various offices within ED, as well as the\n                         Congressional Budget Office.\n\nPostsecondary            PEPS maintains the institution\'s level of participation in the TITLE IV\nEducation                programs of administering student financial aid. It is used primarily by\nParticipants             oversight authorities to certify, and audit postsecondary institutions\nSystem (PEPS)            participation within the program. PEPS feeds data to NSLDS, to maintain\n                         current participation levels and for calculating default rates; and, to OCFO for\n                         maintenance of audits.\n\nPell Grant               PELL stores program information on post-secondary, institutions and on\nRecipient                recipients. It provides fund accountability and control information, and source\nFinancial                data for program budgeting and evaluation.\nManagement\nSystem (PELL)\n\nTitle IV Wide            TIV WAN provides the network link from institutions to the Department\xe2\x80\x99s\nArea Network             systems, i.e., CPS, NSLDS, Pell, and DLOS, for delivery of student financial\n(TIVWAN)                 information.\n\n\n\n\n                                                       16\n\x0c                                 REPORT DISTRIBUTION LIST\n                                   Control Number 11-80014\n                                                               No. of\nOffice of the Deputy Secretary                                 Copies\n\nMarshall Smith                                                   2\nActing Deputy Secretary\n\n\nOffice of Student Financial Assistance\n\nGreg Woods                                                       2\nChief Operating Officer\n\nGerard Russomano                                                 4\nDirector, Postsecondary Systems Service\n\nOCF/CIO\n\nDonald Rappaport                                                 2\nChief Financial Officer and Acting Chief Information Officer\n\n\nDavid Dexter                                                     4\nActing Y2K Project Director\n\n\nED Office of Inspector General (electronically)\n\nInspector General                                                1\nAssistant Inspector General for Audit                            1\nAssistant Inspector General for Investigations                   1\nAssistant Inspectors General for Operations                      1 each\nDirector, Advisory & Assistance, State and Local                 1\nDirector, PAMS                                                   1\nRegional Inspectors General for Audit                            1 each\n\x0c'